b'                                                     SENSITIVE BUT UNCLASSIFIED\n\n\n\n    A\n                                               United States Department of State\n                                            and the Broadcasting Board of Governors\n                                                   Office of Inspector General\nOffice of Inspector General\n\n\n                                                 Office of Inspections\n\n                                                Inspection of\n                              the Bureau of Information Resource Management,\n                                       Systems and Integration Office\n\n                                              Report Number ISP-I-12-30, June 2012\n\n\n\n\n                                                                 Important Notice\n\n                               This report is intended solely for the official use of the Department of State or the\n                               Broadcasting Board of Governors, or any agency or organization receiving a copy\n                               directly from the Office of Inspector General. No secondary distribution may be made,\n                               in whole or in part, outside the Department of State or the Broadcasting Board of\n                               Governors, by them or by other agencies of organizations, without prior authorization\n                               by the Inspector General. Public availability of the document will be determined by the\n                               Inspector General under the U.S. Code, 5 U.S.C. 552. Improper disclosure of this report\n                               may result in criminal, civil, or administrative penalties.\n\n\n\n\n                                                     SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n\n\n                    PURPOSE, SCOPE, AND METHODOLOGY\n                           OF THE INSPECTION\n\n        This inspection was conducted in accordance with the Quality Standards for Inspection\nand Evaluation, as issued in 2011 by the Council of Inspectors General on Integrity and\nEfficiency, and the Inspector\xe2\x80\x99s Handbook, as issued by the Office of Inspector General for the\nU.S. Department of State (Department) and the Broadcasting Board of Governors (BBG).\n\nPURPOSE AND SCOPE\n\n       The Office of Inspections provides the Secretary of State, the Chairman of the BBG, and\nCongress with systematic and independent evaluations of the operations of the Department and\nthe BBG. Inspections cover three broad areas, consistent with Section 209 of the Foreign Service\nAct of 1980:\n\n   \xe2\x80\xa2   Policy Implementation: whether policy goals and objectives are being effectively\n       achieved; whether U.S. interests are being accurately and effectively represented; and\n       whether all elements of an office or mission are being adequately coordinated.\n\n   \xe2\x80\xa2   Resource Management: whether resources are being used and managed with maximum\n       efficiency, effectiveness, and economy and whether financial transactions and accounts\n       are properly conducted, maintained, and reported.\n\n   \xe2\x80\xa2   Management Controls: whether the administration of activities and operations meets the\n       requirements of applicable laws and regulations; whether internal management controls\n       have been instituted to ensure quality of performance and reduce the likelihood of\n       mismanagement; whether instance of fraud, waste, or abuse exist; and whether adequate\n       steps for detection, correction, and prevention have been taken.\n\nMETHODOLOGY\n\nIn conducting this inspection, the inspectors: reviewed pertinent records; as appropriate, circulated,\nreviewed, and compiled the results of survey instruments; conducted on-site interviews; and\nreviewed the substance of the report and its findings and recommendations with offices,\nindividuals, organizations, and activities affected by this review.\n\n\n\n\n                                           i\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n\n\n                                                        United States Department of State\n                                                        and the Broadcasting Board of Governors\n\n                                                        Office of Inspector General\n\n\n\n\n                                           PREFACE\n\n\n       This report was prepared by the Office of Inspector General (OIG) pursuant to the\nInspector General Act of 1978, as amended, and Section 209 of the Foreign Service Act of 1980,\nas amended. It is one of a series of audit, inspection, investigative, and special reports prepared\nby OIG periodically as part of its responsibility to promote effective management,\naccountability, and positive change in the Department of State and the Broadcasting Board of\nGovernors.\n\n        This report is the result of an assessment of the strengths and weaknesses of the office,\npost, or function under review. It is based on interviews with employees and officials of relevant\nagencies and institutions, direct observation, and a review of applicable documents.\n\n       The recommendations therein have been developed on the basis of the best knowledge\navailable to the OIG and, as appropriate, have been discussed in draft with those responsible for\nimplementation. It is my hope that these recommendations will result in more effective, efficient,\nand/or economical operations.\n\n       I express my appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                              Harold W. Geisel\n                                              Deputy Inspector General\n\n\n\n\n                                           ii\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n\n                               Table of Contents\n\nKey Judgments                                                       1\nContext                                                             2\nExecutive Direction                                                 4\n  Mission and Goals                                                 4\n  Leadership                                                        4\n  Communication                                                     5\nProgram Implementation                                              7\n  Contract Management                                               7\n  Systems Development Life Cycle                                    9\n  Program Management Functions                                     10\n  Development Network                                              11\nBusiness Engagement Center Division                                13\n  Planning, Acquisition, and Budget Branch                         13\n  Information Management Support Branch                            15\n  Enterprise Server Operations Center Customer Management Branch   16\nEnterprise Server Operations Center Divisions                      18\n  Operations and Maintenance Division                              18\n  Design and Build Division                                        20\n  Customer and Executive Information System                        21\n  Cloud Computing                                                  21\nCollaboration and Compensation Services Division                   24\n  Enterprise Collaboration Services Branch                         24\n  Compensation Applications Branch                                 28\nEnterprise Programming and Integration Division                    30\n  Data Management Branch                                           30\n  Integrated Projects Branch                                       30\n  Application Development Branch                                   31\n  Program Management Office                                        31\nList of Recommendations                                            33\nList of Informal Recommendations                                   36\nPrincipal Officials                                                37\nAbbreviations                                                      38\n\n\n\n\n                                      iii\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n\nKey Judgments\n\xe2\x80\xa2         The Systems and Integration Office (SIO) has a knowledgeable, hardworking, and\n          engaged management team that, for the most part, effectively dispatches its duties, which\n          involve a wide range of new and old technologies, centralized and decentralized models\n          of network management, budgetary items it can and cannot control, as well as colocated\n          and dispersed physical locations.\n\n\xe2\x80\xa2         SIO senior leadership has made a concerted effort to promulgate a cohesive mission\n          statement and goals to direct the activities of the office.\n\n\xe2\x80\xa2         SIO\xe2\x80\x99s implementation of cloud computing does not fulfill the essential characteristics of\n          cloud computing as defined by the National Institute of Standards and Technology\n          (NIST).\n\n\xe2\x80\xa2         SIO lacks adequate controls and procedures to monitor its multiyear contracts totaling\n          more than $182 million.\n\n\xe2\x80\xa2         The use of SharePoint sites has grown significantly beyond the intended scope of this\n          application, with many employing SharePoint to conduct daily business as well as\n          support key political and military events.\n\n\xe2\x80\xa2         SIO management has not enforced use of the systems development lifecycle (SDLC)\n          process and methodology in all its relevant divisions and branches.\n\n\xe2\x80\xa2         Management needs to define clearly the role and organizational placement of the\n          Program Management office and function and to standardize the use of terminology\n          referring to office activities.\n\n\xe2\x80\xa2         Communication in all areas of SIO\xe2\x80\x99s business needs improvement.\n\n\xe2\x80\xa2         SIO\xe2\x80\x99s internal inventory process for managing and tracking is poorly defined and\n          documented.\n\n\xe2\x80\xa2         SIO management has not begun working on a formal plan for the Compensation\n          Application branch regarding the transition of the payroll support function to the Bureau\n          of Resource Management.\n\n\n\nThe inspection took place in Washington, DC, between February 6 and March 16, 2012.\n(b) (6)\n\n\n\n\n                                             1\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\nContext\n        SIO is one of six functional areas of the Operations directorate in the Bureau of\nInformation Resource Management (IRM). SIO traces its origins back to the Department of\nState\xe2\x80\x99s (Department) establishment of the Automated Data Processing Office in 1959. After\nseveral reorganizations, that office evolved into SIO, which today provides application\ndevelopment, software integration, and enterprise server management services. The full scope of\nSIO\xe2\x80\x99s functions often overlaps with other areas of IRM and the Department, but it formally\ndefines its mission as to \xe2\x80\x9cempower diplomacy with robust cloud computing, collaborative\nservices, and integrated software solutions.\xe2\x80\x9d\n\n       SIO develops, deploys, and supports numerous applications at more than 200 posts and\n28 bureaus. It has three data centers that provide enterprise server management for domestic\nbureaus, including support of the mainframe system that controls the Department\xe2\x80\x99s payroll. SIO\nis known in the Department for some of its more widely used products and services such as Post\nAdministrative Software Suite, eCountry Clearance, Enterprise Server Operations Center, and\nMicrosoft Office SharePoint Server 2007.\n\n        SIO has five divisions supporting its mission. The Enterprise Server Operations Center\n(ESOC) Design and Build (D&B) division supports the standup of the enterprise-wide data\ncenters and the Federal Data Center Consolidation Initiative. The ESOC Operations and\nMaintenance (O&M) division supports the operation of the data centers. The Collaboration and\nCompensation Services (CCS) division maintains the Department\xe2\x80\x99s legacy payroll systems and\nprovides enterprise-wide SharePoint technical support. The Enterprise Programming and\nIntegration (EPI) division is responsible for several enterprise-wide software solutions, the\nenterprise service bus, and data management initiatives. The Business Engagement Center (BEC)\ndivision provides contract, budget, and administrative support to SIO.\n\n        SIO has developed five strategic goals for FYs 2012 and 2013 to link to the Department\xe2\x80\x99s\nInformation Technology (IT) Strategic Plan. The first goal is the design and build of the ESOC\nWest data center, including activities to automate and modernize backups and to support cloud\ncomputing, virtualization, and the Federal Data Center Consolidation Initiative. The second\nincludes planning for upgrades and capacity growth, as well as customer service and\nperformance measurement support. The third focuses on further development of collaboration\nservices such as SharePoint, as well as sunsetting legacy mainframe applications. The fourth\nincludes ambitious plans to implement Web services hosted on a centralized enterprise service\nbus, standardize metadata, and enhance enterprise applications. The fifth goal includes\nimplementing financial management and inventory control, as well as monitoring service level\nagreements (SLA) with bureaus that have moved forward with data center consolidation with\nSIO.\n\n        The last goal will prove increasingly important as Department implementation of its\nrecently entered Vanguard contract looms over SIO and IRM. The Vanguard effort is a\nDepartment initiative to consolidate all IRM contract activities under one performance-based\ncontract. As such, it should compel a paradigm shift in the way IRM does business, as\nDepartment IT managers will have to adapt to a model of managing user expectations and\n\n                                          2\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\nevaluating contractor performance against the contract terms versus managing resources and\naffecting outcomes directly. There will be attendant consequences on most aspects of SIO\noperations and organizational structure as SLAs are crafted to mold operations to the lines of\nbusiness outlined in the contract.\n\n        According to IRM, SIO has 77 full-time employees with 14 vacant positions. There are\nalso 205 contractors from 14 different contract companies supporting SIO operations. The total\nvalue for the life of these contracts, which are paid under the umbrella of the HITTS contract, is\napproximately $182 million. In FY 2011, SIO\xe2\x80\x99s annual operating budget was approximately\n$72.2 million. SIO\xe2\x80\x99s FY 2013 budget request was for more than $82 million.\n\n\n\n\n                                           3\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n\nExecutive Direction\nMission and Goals\n\n         SIO senior leadership has made a concerted effort to develop and promulgate a cohesive\nmission statement to direct the activities of the office. Motivated by recent Office of Inspector\nGeneral (OIG) reports highlighting the lack of such mission statements in other offices, SIO\ncreated a new mission statement that focuses on cloud computing, collaborative services, and\nintegrated software solutions and posted it prominently around the office just prior to the OIG\ninspection. The statement is broad, technology neutral, and links SIO\xe2\x80\x99s work to the Department\xe2\x80\x99s\nbusiness of diplomacy. However, the OIG team questions whether the statement is so broad that\nmany employees may not understand how to contribute toward achieving it; for example, do\nsystem administrators or software developers working on SharePoint understand they are\nsupporting the \xe2\x80\x9cplatform as a service\xe2\x80\x9d portion of NIST\xe2\x80\x99s cloud computing model? Interestingly,\nthe first line on the \xe2\x80\x9cAbout Us\xe2\x80\x9d page of SIO\xe2\x80\x99s intranet site describes the office as \xe2\x80\x9cthe\nDepartment\xe2\x80\x99s primary source for application development, software integration, and enterprise\nserver management.\xe2\x80\x9d The OIG team found that language to be more succinct in describing the\noffice\xe2\x80\x99s role in the Department. Nevertheless, time will tell whether the new mission statement\nwill prove meaningful to SIO employees and help guide their efforts.\n\n        SIO also developed a document detailing its strategic goals and objectives; however, this\ninformation appears to bypass the SIO mission statement and be more aligned with the\nDepartment\xe2\x80\x99s IT Strategic Plan. The document does have significant detail and demonstrates a\ncommitment to larger Department goals. This commitment will be tested soon and for the\ncoming years as IRM proceeds with the consolidation of all its contract activities under the\nperformance-based Vanguard contract. Additionally, the Department\xe2\x80\x99s retooling of the strategic\nplanning and resource management process, along with an expected update of IRM\xe2\x80\x99s IT\nStrategic Plan, provides an opportunity to revise SIO\xe2\x80\x99s new mission statement to better reflect\nthe office\xe2\x80\x99s role. It will be important for SIO management to keep its focus on a potentially\nmoving target and to treat its mission statement as part of a planning and implementing process\nrequiring regular reviews, rather than as a completed checkmark.\n\n       Informal Recommendation 1: The Bureau of Information Resource Management should\n       conduct periodic reviews of the Systems and Integration Office\xe2\x80\x99s mission and goals to\n       measure its progress in meeting the Department of State\xe2\x80\x99s information technology\n       strategic goals and make revisions as needed.\n\nLeadership\n\n         The OIG team observed a knowledgeable, hardworking, and engaged management team\nthat, for the most part, effectively dispatches its duties, which involve a wide range of disparate\nresponsibilities that require working with both new and old technologies, centralized and\ndecentralized models of network management, budgetary items it can and cannot control, as well\nas colocated and dispersed physical locations. The SIO director joined the office in January\n2007. IRM senior leadership universally lauds her abilities and achievements, and division and\nbranch chiefs within SIO had positive comments about her leadership qualities. Other feedback\n\n                                           4\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\nincluded generally favorable scores on OIG\xe2\x80\x99s inspection survey, with the interesting anomaly\nthat full-time employee survey scores were slightly lower than contractor scores across the\nboard. Those that reported having the most regular contact with the Director provided high\npraise, while those at lower levels with less frequent or no interaction with her had some\ncomplaints related to office communication and dissemination of management priorities. There\nwere similar comments regarding the leadership qualities of division and branch chiefs, with\nsome frustration about inconsistent organizational communication.\n\n        Within SIO, the OIG team encountered various accounts of leadership at the division and\nbranch levels. Some are satisfied with how their group conducts its business; however, others\ncomplain about how the entity translates broader office goals into prioritized tasks. Some groups\nhave been setting the scope of their work too broad, causing them to lose focus. Some complain\nthat priorities change daily based on who is complaining the loudest. Priorities tend to be fluid,\nwith constantly changing deliverable dates. Others note a lack of risk planning when translating\ngoals into tasks. Additionally, the common use of matrix resources appears to have led to\nconflicting priorities and timelines for project deliverables. These issues generally relate to\ncommunication of management priorities and implementation of organizational processes to\nachieve them.\n\n        A fairly common complaint among survey respondents and those interviewed during the\ninspection was that SIO does not have sufficient representation with senior IRM leadership.\nSome thought that key SIO products are often ignored or not funded, despite holding high\nsignificance with respect to the Department\xe2\x80\x99s IT Strategic Plan. Some criticized the director for\nnot sufficiently promoting SIO\xe2\x80\x99s products with IRM senior management. Likewise, integration\nwithin and across IRM has been spotty and problematic, occasionally hampering SIO\xe2\x80\x99s\nproductivity when it must rely on other IRM organizational elements. Continued management\nengagement with other IRM directorates and offices will be necessary to achieve effective\ncollaboration on projects.\n\nCommunication\n\n         Communication in all areas of SIO\xe2\x80\x99s business needs improvement, with the possible\nexception of that with other agencies. The OIG team encountered myriad complaints of\nineffective communication within SIO, within IRM as a whole, and with other bureaus in the\nDepartment. (b) (5)                                                  SIO management has made\nearnest efforts to improve communication, including various types of all-hands meetings,\nSharePoint sites, team-building exercises, and newsletters, but has yet to find the right balance.\nThe challenges are numerous, including highly disparate employee functions and backgrounds,\nsignificant turnover in contract employees, and dispersed work locations. The move of some\nstaff to State Annex 9 has helped in some respects but has also led to complaints of too much\ncommunication, with offices having to sift through duplicate copies of the same information.\nPoor cross-team and interbureau communication is also a problem, with managers in other\nbureaus eschewing the proper channels and escalation procedures and instead communicating\ndirectly with a manager in SIO. Although this strategy works well for the individual, it\ncircumvents the processes in place and impedes communication as a whole. The technology\nmeant to enhance communication has also sometimes been the source of frustration, with\nmessages being sent out in a scattershot manner and involving too many recipients to be\n                                           5\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                            SENSITIVE BUT UNCLASSIFIED\n\nproductive. Meanwhile, many complained that most of the larger staff, all-hands, and other\nmeetings on the already busy SIO schedule seem to rehash old information and thus are a waste\nof time. Others are weary of the leadership\xe2\x80\x99s attempts at team-building exercises. The SIO\ndirector has planned to resume periodic newsletters as a means of communicating better with her\nstaff.\n\n\n\n\n                                         6\n                            SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n\nProgram Implementation\nContract Management\n\n        SIO currently has nine separate task orders under six contracts, with a total value of more\nthan $182 million. Each contract is for a performance period ranging from 3 to 5 years. SIO\nfunctions will be consolidated as part of the 2.3.x series under the Vanguard effort, which is a\nDepartment initiative to consolidate all IRM contract activities under the umbrella of one\nperformance-based contract with multiple task orders. SIO\xe2\x80\x99s existing task orders\xe2\x80\x94SharePoint\nOperations and Maintenance, ESOC Operations, IRM Applications Operations and Maintenance,\nData Management, and Integrated Project\xe2\x80\x94will be part of the 2.3.x series. The compensation\ntask order, which supports the responsibilities for the legacy payroll function that will be\ntransferred to the Bureau of Resource Management, is not part of this effort.\n\n        SIO management has spent considerable time planning for the transition to the Vanguard\ncontract and has established a Vanguard Project Team to assist with this effort. The Vanguard\nProject Team is led by the EPI division chief, with management representation from the other\nSIO divisions, the other IRM elements, and the executive office of the Bureau of Administration.\nThe project team meets weekly and discusses progress made to date. Assigned individuals are\nreviewing the scope of services of existing contracts and developing performance metrics for\nevaluating the work performed. SIO is benefitting from lessons learned from the Vanguard 2.2.1\nimplementation and seems to be taking the needed time to plan. The OIG team encourages SIO\nto continue with its planning efforts for the Vanguard 2.3.x series and to be mindful of the\nimportance of continuous communication with affected parties to ensure a smooth transition.\n\nCentral Repository\n\n        SIO lacks adequate procedures and controls to monitor contracts and the work performed\nby contractors. Contract documentation is located in multiple places, including personal emails,\nseveral electronic library sites, and in hard copy. SIO maintains at least three electronic library\nsites but does not have a mechanism for grouping the documentation together in a logical,\nsystematic way or for linking documents to the other library sites. Upon review of library files,\nthe OIG team found duplicate and incomplete documentation, inconsistent naming conventions,\nand no verification that the contracting officer\xe2\x80\x99s representatives (COR) and government technical\nmonitors (GTM) have accessed and reviewed the files.\n\n        The recently created SIO Financial Private Library, which is the repository of contracts,\nagreements, training certifications, and delegations of authority for the CORs and GTMs, is also\nnot organized so that the user can easily locate and/or review documents. The OIG team found\nno complete contract files containing contract deliverables such as monthly reports, meeting\nminutes, or correspondence between the COR/GTM and contractor in an accessible location.\nFurther, although the financial library used internally by BEC management contains contractor\ninvoice files, it does not show evidence of payment approvals. Based on the OIG team\xe2\x80\x99s\nsuggestion, BEC staff recently started uploading files such as invoices and emails to the financial\nlibrary. However, these invoices are still being filed in the same manner as the earlier invoices,\nmaking it difficult to identify the invoice dates without opening each document.\n\n                                           7\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\nRecommendation 1: The Bureau of Information Resource Management should establish a\ncentral repository for the management of Systems and Integration Office contracts so that all\nrelevant documentation for each contract, such as statements of work, amendments, and invoices,\nare in one central location. (Action: IRM)\n\n        SIO management also does not have a centralized process for determining the status of\nobligations or funds for each contract. SIO provided the OIG team with a spreadsheet, dated\nJanuary 27, 2012, listing the contract ceiling limits and total amount spent for each contract. The\nOIG team found several factual errors, including incorrectly identified contract option years and\nexpiration dates. The team also found that the total amount spent on the contracts had not been\nupdated on the spreadsheets from January 13 to March 14. The process for invoicing involves\nmultiple parties and steps, making the need for better management of contract funding and\nobligations even more pressing. Currently, division chiefs or GTMs verify contractor labor hours\nagainst the time and attendance information entered in either the Project Tracking System or\nCustomer and Executive Information System (CEIS). Then the information is sent via email to\nBEC division staff members who compare the contractor invoices against the contract, verify\nfund availability, and complete the invoice approval form sent to Global Financial Services\nCharleston for payment. SIO estimates that it pays approximately 400 invoices per year. It is in\nSIO\xe2\x80\x99s interest to continually track funds to help ensure accountability and meet priorities and\ngoals.\n\nRecommendation 2: The Bureau of Information Resource Management should prepare a\nfunding document that details the authorized, spent, and remaining funds for each Systems and\nIntegration Office contract and implement procedures to verify and update this information\nregularly. (Action: IRM)\n\nContracting Officer\xe2\x80\x99s Representative and Government Technical Monitor Assignments\n\n        The process for assigning COR and GTM responsibilities for SIO contracts needs\nimprovement. Specifically, individuals assigned with such responsibilities appear to have little or\nno daily interaction or involvement with the corresponding contractor and scope of work. For\nexample, one assigned COR is also the GTM for the same contract, which has multiple task\norders. The individual commented on the inability to verify the labor hours and work for the\ncontractors because the work being performed does not directly affect his specific division but\nrather the rest of SIO.\n\n       COR and GTM responsibilities in SIO are either assigned to division chiefs, SIO staff\nmembers, or a representative from the Bureau of Administration. SIO-assigned individuals\nperform their duties with varying degrees of diligence. Some of the CORs and GTMs have\nconstant interaction with their contractor staff, either via emails or face-to-face meetings, and\nmaintain supporting documentation to evaluate contractor performance. Other GTMs and CORs\nwithin SIO, however, could neither articulate their responsibilities for contract oversight nor\nproduce documentation showing their continuous review of performance.\n\n        SIO-provided documentation shows all CORs and GTMs have completed the required\ntraining, but only half have received the mandatory Federal Acquisition Certification for CORs\nand GTMs that qualifies them for such appointments, as detailed in Procurement Information\n                                           8\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\nBulletin No. 2010-20. As of July 2010, the Bureau of Administration requires all CORs and\nGTMs who hold delegation letters on active contracts to be certified no later than 6 months from\nthe date of assignment.\n\n        Improper assignment of CORs and GTMs, as well as their incomplete training, affects\nSIO management\xe2\x80\x99s ability to manage and oversee the work of its contractors. The responsibility\nfor a COR or GTM is not always assigned to an individual who can provide the needed frequent\ninteraction and oversight of the contractor\xe2\x80\x99s work and scope of services. If not corrected, this\nissue could lead to overpayment of contractors or failure to meet project goals. Given the more\nthan 200 individual contractor employees supporting SIO operations, the OIG team encourages\nSIO management to take immediate action.\n\nRecommendation 3: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should assign the responsibilities of contracting officer\xe2\x80\x99s\nrepresentatives and government technical monitors for Systems and Integration Office contracts\nto individuals who have the technical expertise to evaluate the scope of work performed by the\ncontractors. (Action: IRM, in coordination with A)\n\nRecommendation 4: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should implement a policy requiring all assigned contracting\nofficer\xe2\x80\x99s representatives and government technical monitors for Systems and Integration Office\ncontracts to apply for Federal Acquisition Certification by completing the required training and\nsubmitting corresponding documentation to the Office of the Procurement Executive in\naccordance with Department of State guidelines. (Action: IRM, in coordination with A)\n\nContractors Managing Staff\n\n        The OIG team identified a contractor who was improperly managing full-time employees\nwithin the SIO organization by providing them with direction on assignments, project priorities,\nand daily management of tasks. The OIG team informed the relevant division chief, and\ncorrective steps are being taken to address the problem. (See the Enterprise Programming and\nIntegration Division section of this report for more details.)\n\nSystems Development Life Cycle\n\nMethodology\n\n        Within SIO, EPI is seen as the driving force in directing its SDLC process. In fact, the\nmajority of SIO\xe2\x80\x99s systems development activities occur within EPI, which is the only division\nthat includes systems development in its mission statement. An SDLC process defines the\nrecommended procedure by which an organization envisions, defines, builds, deploys, operates,\nand maintains its systems and applications. An SDLC process is intended to establish a\nconsistent, repeatable, and transparent process that can be tailored to a variety of project types.\n\n       With the efforts of EPI personnel, SIO documented and approved an SDLC process in\nNovember 2011. The documentation clearly defines the control gates for each phase of the\nprocess (initiation, planning design, test and deployment, and closeout), including required\n                                           9\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\nmanagement approval and documentation. EPI\xe2\x80\x99s documented SDLC process has been used and\ntailored by the other SIO divisions for their specific needs. CCS\xe2\x80\x99s development activities, for\nexample, are split primarily between payroll applications and SharePoint development. The\npayroll application development uses structured methodologies associated with legacy\nprogramming languages, whereas SharePoint development employs project development plans\nbased on a traditional waterfall approach\xe2\x80\x94a developmental methodology whereby a project\nmoves to the next phase only upon completion and perfection of the preceding phase. CCS has\nborrowed from EPI in much of that approach.\n\n        SIO is currently reviewing its SDLC process to align it more closely with the Agile\nmethodology, which highlights requirements and solutions that evolve through collaboration\nbetween teams. With more engagement with the customer, Agile methodology promotes\nadaptive planning and development and delivery while encouraging rapid and flexible response\nto change. However, SIO has not documented the Agile methodology effectively to ensure\ncohesion within the existing documented process. Upon review, the OIG team found that Agile\nterminology is included in the document; however, it does not include control gates or details on\nthe collaboration needed among teams and with customers. Further, the details on the Agile\nmethodology appear to be described more as a hybrid process that includes some aspects of a\nwaterfall methodology. When questioned, SIO management commented that a strict Agile\nmethodology would not work across all SIO\xe2\x80\x99s prospective projects, hence the hybrid approach.\nSIO has not established the process and criteria for determining which methodology to employ\nfor each project, resulting in a potentially indeterminate gray area of hybrid combinations. This\nlack of rigor hampers SIO management\xe2\x80\x99s ability to evaluate the completeness of documentation\nand the performance management review of each respective project.\n\nRecommendation 5: The Bureau of Information Resource Management should clearly\ndocument the alternative systems development methodologies and criteria for use of each\nmethodology in Systems and Integration Office development activities. (Action: IRM)\n\nProject Tracking\n\n       The development of the Project Tracking System has assisted SIO in providing a\nplatform for consistency in and enforcement of the SDLC process. The system is based on the\nMicrosoft Project Server application and currently houses the information for several projects.\nThe OIG team received a demo of the Project Tracking System and found it to provide the\ngeneral requirements for project tracking. However, the system is not being used by all divisions\nand branches.\n\nRecommendation 6: The Bureau of Information Resource Management should document\nwhich tool to use for centralized project tracking for Systems and Integration Office projects and\nenforce compliance among personnel. (Action: IRM)\n\nProgram Management Functions\n\n       SIO has not clearly defined the role and organizational placement of the Program\nManagement office and function or the use of terminology referring to its activities. Currently,\nSIO has multiple individuals acting in a program management or process improvement capacity.\n                                         10\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n   Further, terms such as \xe2\x80\x9cprogram management\xe2\x80\x9d and \xe2\x80\x9cprocess improvement\xe2\x80\x9d are used\n   interchangeably within the office to describe the work of multiple individuals who perform\n   similar functions.\n\n            Program management/process improvement functions are under the purview of a\n   Program Management office within the EPI division that comprises 4 full-time employees and\n   14 contractors. These individuals are responsible for project management process improvement,\n   IT security and compliance, configuration management, and architecture of EPI operations.\n   Additionally, another individual within EPI functions as an advisor on special projects. SIO has\n   also recently established a process improvement position reporting directly to the SIO director.\n   The role of this individual is still being defined per discussions held with SIO management. In\n   fact, this individual is performing functions under his previous responsibilities and has yet to\n   reside full time in his new role. Further, the SIO director has recently informed management\n   about possibly establishing a separate Program Management office within the BEC division.\n\n           It is unclear how the SIO director views the role of the Program Management office. The\n   director commented that each division has good processes, and she is not certain of what, if any,\n   are missing. Although the incumbent of the process improvement position is responsible for\n   completing an inventory of all processes, as stated earlier, this individual has not yet assumed his\n   new duties. The SIO director is unaware of what overlaps may be present with the other process-\n   focused positions and entities within SIO and plans to address this issue upon completion of the\n   inventory of processes.\n\n          The OIG team expected that SIO would have conducted an analysis of existing processes\n   and program management functions prior to filling any positions or making any organizational\n   changes. Without such planning, confusion about responsibilities is inevitable. Management\n   guidance is lacking on whether SIO will spread these specific roles throughout the office or\n   consolidate them within one division/branch, as well as on the actual role and function of the\n   Program Management office.\n\n   Recommendation 7: The Bureau of Information Resource Management should determine the\n   role and organizational placement of the Program Management office and function within the\n   Systems and Integration Office and define terminology pertaining to program management\n   activities. (Action: IRM)\n\n   Development Network\n\n           SIO is not monitoring its development network properly. The development network,\n   DevLan, is a stand-alone network used for development activities for SIO software programs and\n   is handled jointly by the CCS and EPI divisions. CCS administrators manage the DevLan\n   servers, while both EPI and CCS staff provide oversight for patches and antivirus updates.\n(b) (5)\n\n\n\n\n                                             11\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                               SENSITIVE BUT UNCLASSIFIED\n\n(b) (5)\n\n\n\n   Recommendation 8: (b) (5)\n\n\n\n   Recommendation 9: (b) (5)\n\n\n\n\n                                           12\n                               SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n\nBusiness Engagement Center Division\n        The BEC division handles most of the administrative functions for SIO. The division\nchief and branch chiefs communicate effectively, meeting regularly to discuss the status of\ncurrent projects and share pertinent information. BEC management also participates in\nDepartment-wide meetings to represent the views of SIO, indicating that the division chief has\nthe trust of SIO management. However, BEC needs to improve its budgeting and inventory\nprocesses, as well as contract management, which is discussed earlier in the report. Most\nimportant, BEC employees could be structured more effectively for SIO by transferring some of\ntheir responsibilities to another SIO division, providing BEC the opportunity to focus more on its\ncore functions.\n\n       BEC consists of three branches: Planning, Acquisition, and Budget; Information\nManagement Support; and ESOC Customer Management. A staff of 10 full-time employees and\n5 contractors provide project tracking, customer service management, and inventory\nmanagement services, as well as internal SIO acquisitions, budgeting, and contract management\nfunctions.\n\nPlanning, Acquisition, and Budget Branch\n\n       The Planning, Acquisition, and Budget branch is responsible for most of BEC\xe2\x80\x99s\nfunctions. The six-person team manages the SIO inventory, software licensing, budgeting,\ncontract management, acquisitions, credit card purchases, and office supplies for all of SIO.\nOverall, the branch performs most of its functions well. However, improvements are needed in\ninventory and budget management.\n\nInventory\n\n        Although inventory discrepancies have been within allowable limits, the processes for\nmanaging and tracking are poorly defined and documented. Many of SIO\xe2\x80\x99s shared services were\ntransferred to the Bureau of Administration as part of the Center for Excellence effort. Inventory,\nhowever, has remained a SIO responsibility, requiring SIO to account for and manage its\nhardware and software inventory while coordinating with the Bureau of Administration as\nneeded.\n\n       For the hardware inventory, each of the five SIO divisions has its own primary area\ncustodial officer, with the ESOC division having several because of its multiple locations. Each\narea custodial officer performs a check of the hardware inventory each year and reports the\ninformation to branch staff members, who consolidate the inventory information and send it to\nthe Bureau of Administration for uploading to the Integrated Logistics Management System.\nBranch staff began drafting property management standard operating procedures in August 2011.\nHowever, the document is still not final and does not provide a clear definition or explanation of\nwhat constitutes \xe2\x80\x9chardware\xe2\x80\x9d to be included in SIO\xe2\x80\x99s inventory records. The OIG team also\nlearned of discussions to separate the ESOC inventory from the rest of SIO for better\naccountability; however, the OIG team did not see corresponding decision documents or a note\nof such plans within SIO\xe2\x80\x99s standard operating procedures.\n\n                                          13\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\nRecommendation 10: The Bureau of Information Resource Management should revise and\nfinalize the property management standard operating procedures for the Systems and Integration\nOffice to provide clear definitions for and identification of division and individual\nresponsibilities. (Action: IRM)\n\n         Hardware inventory tracking also warrants attention. Currently, area custodial officers are\nconducting inventory reconciliation for their respective divisions and forwarding this information\nto assigned staff members. However, neither BEC nor the rest of SIO uses a centralized tool to\ntrack its inventory information internally. Instead, staff is using paper or an old version of a\nutility within IRM\xe2\x80\x99s Remedy IT Service Management suite to track inventory information.\nBecause there is no consistent tracking mechanism, some of SIO\xe2\x80\x99s inventory items are missing.\nFor example, during the course of the inspection, area custodial officers spent several weeks\nperforming \xe2\x80\x9cfloor sweeps\xe2\x80\x9d looking for missing items. At the end of the initial reconciliation\nperiod, SIO reported to the Bureau of Administration more than $275,000 in missing equipment.\nAlthough this amount is less than the 1 percent allowed by Bureau of Administration\nrequirements, several of the items cost more than $5,000 each, requiring SIO to report the\ndiscrepancies to the Department\xe2\x80\x99s Property Survey Board for action. A more concerted effort of\ninventory oversight and accounting by SIO would help resolve this problem.\n\nRecommendation 11: The Bureau of Information Resource Management should implement a\ntool for the Systems and Integration Office to track its inventory. (Action: IRM)\n\n        The software inventory process is a work in progress for SIO. Each SIO division used to\nhandle its own software ordering, receiving, and licensing processes. SIO management decided\nto consolidate those activities under BEC and, in the process, identified a problem with expired\nsoftware licenses. BEC management has been reviewing the issue in two phases. The first\nincludes documenting the \xe2\x80\x9cas is\xe2\x80\x9d environment for software. The second entails documenting the\n\xe2\x80\x9cto be\xe2\x80\x9d environment, selecting a tool to track licenses, creating a workflow diagram, and revising\nthe existing standard operating procedure. The OIG team obtained a copy of the developed\nworkflow diagrams explaining the current \xe2\x80\x9cas is\xe2\x80\x9d process for ordering and receiving software\nand found it to be detailed and clear. SIO management is working toward a method for tracking\nsoftware licenses, and the OIG team supports its efforts in this regard.\n\nBudget\n\n        SIO is not using set criteria or guidelines for financial decisionmaking. The Planning,\nAcquisition, and Budget branch manages SIO budget activities. Currently, SIO is operating\nunder a continuing resolution; however, it did submit a budget request for more than $82 million\nfor FY 2013. BEC management attends weekly budget meetings with representatives from IRM.\nHowever, the OIG team attended several of these meetings and found the discussion to be\nunfocused and unclear. Lack of clarity from IRM has led to SIO\xe2\x80\x99s development of its own\ninternal approval process to track funding requests\xe2\x80\x94the financial CCB.\n\n       As part of this internal SIO process, employees submit funding requests for training and\npurchases to their respective branch and division chiefs for review and approval. Requests are\nentered into CEIS and then exported by the BEC division chief into a spreadsheet every week for\nthe SIO senior staff meeting. The SIO director and division chiefs, which form the financial\n                                          14\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\nCCB, review purchase and training requests and approve or reject them. Approved requests are\nplaced onto a purchase fund request form and submitted to IRM senior management for final\napproval and action.\n\n        The internal financial CCB process is a useful management tool for setting priorities.\nHowever, no set criteria or guidelines are used by management for decisionmaking. As a result,\nthere is no clear rationale for approving or rejecting requests. ( b) (5)\n\n\n\n\nRecommendation 12: The Bureau of Information Resource Management should develop a set\nof criteria and guidelines for the Systems and Integration Office\xe2\x80\x99s financial change control board\nto use in its review of and decisions on purchase and training requests. (Action: IRM)\n\n        A contractor within the branch handles SIO\xe2\x80\x99s budgeting, which is typically an inherently\ngovernmental function. This individual is responsible for and privy to the full spectrum of\ninformation on budgeting, funding requests, and pending contracts for SIO activities. Although\nBEC management has commented that SIO management approval is needed before any budget\naction, the OIG team is concerned about potential conflicts of interest and lack of independence\nin budgeting activities. The contract company employing this individual accounts for a large\nportion of SIO contractor staff in operational fields. Granting this contractor access to all budget\ninformation could thus afford his company an unfair advantage on future opportunities. Further,\nthe risk of losing institutional knowledge is possible with such heavy reliance on one contract\nemployee to compile budget information and attend meetings on behalf of SIO.\n\nRecommendation 13: The Bureau of Information Resource Management should reassign the\nresponsibility for monitoring and tracking of and accounting for budget information in the\nSystems and Integration Office to a government full-time employee and make only limited\nbudget information accessible to contractor staff. (Action: IRM)\n\nInformation Management Support Branch\n\n        The Information Management Support branch, a team of four individuals, handles the\ndevelopment and management of the Project Tracking System, as well as SharePoint waiver\nrequests. The Project Tracking System uses Microsoft Project Server to fulfill two purposes\xe2\x80\x94\ntracking the time and attendance for contract staff and assisting with project management for SIO\nprojects. Use of the system for project management is not mandatory, but the SIO director has\nadvised employees to use it for their respective projects. More discussion on the Project Tracking\nSystem and its linkages to the SDLC process is provided in the Executive Direction section of\nthis report. The responsibility for SharePoint waiver requests, however, could be better aligned\nwithin another SIO division.\n\nSharePoint Waiver Requests\n\n      The CCS division used to handle SharePoint waiver requests; however, two employees in\nthe BEC division are now responsible for this function. Posts or bureaus submit waiver requests\n                                          15\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\nto establish a local SharePoint environment primarily because the centralized SharePoint\nplatform does not perform well at posts that have low bandwidth or high network latency. The\nrequesting post or bureau completes a waiver form and submits it to SIO, which then passes the\nform to IRM\xe2\x80\x99s Enterprise Network Management office for latency analysis. The regional\nbureau\xe2\x80\x99s executive director approves the cost and personnel resource allocation to support the\nwaiver and then forwards the form to SIO for final recommendation and action. According to\nstaff members, the latency analysis performed by IRM\xe2\x80\x99s Enterprise Network Management office\ndrives the decision on SharePoint waivers. Since 2009, SIO has received a total of 54 requests,\nwith 40 receiving approval. The number of waiver requests processed is minimal and could\neasily be reassumed by the CCS SharePoint team without burdening staff. Centralizing all\nSharePoint functions within CCS would provide decisionmakers with the most current\ninformation on upgrades and schedules.\n\nRecommendation 14: The Bureau of Information Resource Management should reassign the\nresponsibility for the management and analysis of SharePoint waiver requests to the\nCollaboration and Compensation Services division within the Systems and Integration Office.\n(Action: IRM)\n\nEnterprise Server Operations Center Customer Management Branch\n\n       The ESOC Customer Management branch, a team of three individuals, works under the\ncoordination of BEC staff on the development and updating of ESOC SLAs and recently\nassumed responsibility for participating on the Department\xe2\x80\x99s IT Change Control Board and\nperforming an analysis of Remedy tickets on behalf of SIO. Because ESOC is better positioned\nto handle its own SLAs, it makes sense to transfer overall responsibility for this function from\nBEC to ESOC personnel.\n\nService Level Agreements\n\n        BEC staff members coordinate the development and updating of SLAs, which includes\n129 active agreements and 67 up for renewal. ESOC SLAs are provided to Department bureaus\nor offices as part of the data center consolidation of their servers and networks. Generic SLAs\nare provided to each customer, with attachments detailing specific information pertaining to the\noperational support and setup for that particular bureau or office.\n\n        BEC staff commented that the ESOC SLA process needs improvement and has been\nworking with ESOC personnel on developing a workflow document. Specifically, BEC staff\nnoted lack of clarity on the divisions\xe2\x80\x99 respective roles and responsibilities and on the point at\nwhich BEC and ESOC staff become involved in the SLA process. This became an issue when\nnew Department customers started contacting ESOC personnel for consultation, and ESOC\ninformed BEC staff as an afterthought. ESOC personnel are now regularly informing BEC of\ntheir discussions with new customers so that the latter can prepare any necessary documents. It is\nunderstandable why customers would seek information from ESOC personnel, as they handle the\noperational support for the bureau as part of the data center consolidation. Because ESOC\npersonnel have daily involvement with data center consolidation activities, they are also better\nequipped to answer any questions or inquiries from existing or new customers. Further, ESOC\n\n                                         16\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\nstaff can provide customers with information on storage capacity, operational support levels, and\ntimelines. For these reasons, it makes sense for ESOC to take responsibility for its SLAs.\n\nRecommendation 15: The Bureau of Information Resource Management should reassign the\nresponsibility for Enterprise Service Operations Center service level agreements to the Enterprise\nService Operations Center division within the Systems and Integration Office. (Action: IRM)\n\n\n\n\n                                         17\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n\nEnterprise Server Operations Center Divisions\n         ESOC consists of two divisions\xe2\x80\x94O&M and D&B. The O&M division provides around-\nthe-clock operational and maintenance support for the Department\xe2\x80\x99s domestic data centers, and\nthe D&B division assists with the architecture, modernization, and expansion of Department IT\nfacilities by standardizing IT processing resources such as servers, databases, and applications.\n\n         The ESOC divisions are well managed by their division chiefs and staff. Processes are in\nplace to handle everyday tasks, contingencies, and any crisis that might arise. ESOC is\nperforming data center consolidation in accordance with the Federal Data Center Consolidation\nInitiative. ESOC is also moving the Department toward greater virtualization, both domestically\nand internationally, in conjunction with the IRM Global Information Technology Modernization\nprogram. Further, ESOC is leveraging those virtualization and data center consolidation efforts\nto move the Department toward cloud computing, which is defined and discussed in detail in the\nCloud Computing section of this report.\n\nOperations and Maintenance Division\n\n       The O&M division manages the operational domestic data centers. ESOC East is\nprimarily a contractor-owned and -run facility that requires Department oversight of the building;\nheating, ventilation, air conditioning, and electrical services; and management of the servers and\nrack space. ESOC West, meanwhile, is nearing completion on the western power grid. It is\nowned and operated by the Department, including facilities management; heating, ventilation, air\nconditioning, and electrical services; and all servers located in the data center.\n\n        ESOC currently provides operational support to 28 bureaus and offices and manages\napproximately 5,043 servers. Customers include large stakeholders such as the Bureau of\nConsular Affairs and smaller customers with only one or two servers. The type of support\nprovided by ESOC could be one of five options ranging from \xe2\x80\x9ccolocated,\xe2\x80\x9d which includes\nminimal oversight, to \xe2\x80\x9cmanaged,\xe2\x80\x9d which requires ESOC to manage all hardware and operating\nsystem maintenance. At overseas posts, and in conjunction with IRM\xe2\x80\x99s Global Information\nTechnology Modernization program, ESOC is working on combining multiple infrastructure\nservers into a local virtual infrastructure. Virtualization allows multiple servers to be hosted on\none piece of hardware\xe2\x80\x94thus saving energy, space, and cooling. This project is on schedule for\ncompletion in FY 2015.\n\n         SIO has implemented a process of SLAs to ensure quality customer service. As stated\nearlier in the report, a generic SLA is customized with amendments for each customer to\ndescribe the respective bureaus\xe2\x80\x99 or offices\xe2\x80\x99 setup and level of support to be provided. The SLAs\nrequire the O&M support desk to respond to an ASG-Sentry alert (a server monitoring service)\nwithin 10 minutes. The ESOC local area network administrator remotely checks the server,\nnotifies the customer by email within 15 minutes or by phone within 30 minutes, and begins\ntroubleshooting the outage. The ESOC local area network administrator is required to be on site\nwithin 90 minutes from the initial notification. The typical stakeholder\xe2\x80\x99s SLA requires O&M to\nmeet these markers 90 percent of the time. The CEIS trouble ticket monitoring system\ndemonstrated that O&M has been meeting its SLA requirements 97 percent of the time during\n\n                                          18\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n    the past year. However, CEIS also shows 28 percent of servers as \xe2\x80\x9cunknown\xe2\x80\x9d in status,\n    indicating there are no SLAs in place governing the management of those servers.\n\n            The Department began a data center consolidation program in 2002 to support the\n    Department\xe2\x80\x99s global IT infrastructure. The Department was well along on this effort by the time\n    the Federal Chief Information Officer kicked off the Federal Data Center Consolidation Initiative\n    in February 2010, which requires agencies to perform asset inventories and create a data center\n    consolidation plan. The Department had initially conducted an asset inventory in 2007, prior to\n    the Federal Data Center Consolidation Initiative mandate. The latest update shows that enterprise\n    applications and network services for supporting worldwide Department objectives are enabled\n    by more than 5,000 servers located in 12 data centers in the United States. Currently 42 percent\n    of all domestic servers have been virtualized. The Data Center Consolidation goals include\n    consolidating, optimizing, and decommissioning more than 70 percent of the data centers by FY\n    2015. ESOC is on track to achieve those goals.\n\n            During the inspection, the OIG team observed that not all servers and network devices in\n    the data centers have complete labels. The servers managed by O&M are labeled properly,\n    whereas servers colocated with, (b) (5)\n\n\n\n\n          Informal Recommendation 2: (b) (5)\n\n\n\n           The data centers designed and managed by ESOC meet all physical and security\n    requirements (b) (5)\n(b) (5)\n\n\n\n\n          Informal Recommendation 3: (b) (5)\n\n\n\n\n                                             19\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\n\nLegacy Support Branch\n\n         The Department has been migrating away from the legacy mainframes to open systems\ncomputing 1 for the past decade, and consequently the need for legacy mainframe computers and\nstaff is fast disappearing. The move by private industry and the Department away from\nmainframe computing to open systems has been customer driven. Some of the prominent\nDepartment mainframe applications supporting financial, retirement, and consular operations\nhave already migrated during the past 5 years. The two remaining major mainframe applications\nare the Bureau of Resource Management\xe2\x80\x99s Consolidated American Payroll Processing System\n(CAPPS) application and the retirement records system, which are expected to be migrated by\nthe end of 2013 or beginning of 2014. As mentioned earlier in the Collaboration and\nCompensation Services Division section of this report, this migration will eliminate the need for\nthe payroll support function.\n\n        The significant decrease in the Department\xe2\x80\x99s overall number of mainframe applications\nhas resulted in ESOC\xe2\x80\x99s having a larger capacity mainframe computer and more employees than\nit needs to support operations. In an effort to save money and better align the scope of operations\nwith the Department\xe2\x80\x99s needs, SIO management acquired a smaller mainframe computer and\nreassigned or eliminated its contract employees.\n\n         Developing a workable solution for ESOC\xe2\x80\x99s 13 full-time employees in the Legacy\nSupport branch has been difficult; however, ESOC management has tried to upgrade the\ntechnical skills of operations staff members so that they can transition to positions requiring\nknowledge of newer technology. Toward this end, ESOC management developed a training plan\nto provide the Legacy Support branch staff with details on the technical skills necessary to be\neffective with the newer open systems. The ESOC open systems training plan was patterned after\nthe Foreign Service Institute\xe2\x80\x99s IT training program, which requires students to meet certain\ncourse prerequisites before being eligible for the next, progressively more difficult course. At the\nend of the training period, individuals would, in theory, have the necessary understanding and\nskills to be competent and ready to work with open systems.\n\n        Since implementing the training plan, SIO has experienced budget cuts resulting in\nlimited availability for staff to attend classroom courses. However, ESOC management continues\nto encourage Legacy Support branch staff to attend courses and makes their doing so a priority.\nESOC management has also instituted a small pilot program to give a few ESOC Legacy\nSupport branch staff members an opportunity to work with open systems as a first-level help\ndesk staff member. The OIG team encourages ESOC management to continue to provide such\nopportunities to the Legacy Support branch.\n\nDesign and Build Division\n\n       The D&B division is led by an effective division chief with a strong technical\nbackground. The division chief\xe2\x80\x99s focus during the inspection was the standup of a new enterprise\n\n1\n  Open systems are defined as a class of computers and associated software that provides some combination of\ninteroperability, portability, and open software standards. The open system standard used by the Department is\nbased on the Microsoft Windows operating system.\n                                               20\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\ndata center\xe2\x80\x94ESOC West. In his absence, most day-to-day management responsibilities for the\nESOC D&B division were handled by the other ESOC division chief.\n\n        The D&B division manages the design and building of the ESOC data centers, oversees\nimplementation of the Federal Data Center Consolidation Initiative, and provides enterprise-level\nTier III technical support. The D&B division has four areas of responsibility, each one managed\nby a technical team lead. These four areas include virtual infrastructure, network, backup and\nrecovery, and monitoring and access. Each technical team lead manages and provides technical\noversight for his or her assigned contract staff. The four technical teams work in a collaborative\nmanner with ESOC customers to ensure that systems being migrated by or operating in ESOC\nhave adequate processing capability and sufficient disk storage and are backed up and monitored\nappropriately. In addition to the four teams, the division has a Project Management branch and a\nCloud Services branch. The Project Management branch coordinates communication between\nthe four technical teams (lanes), and the Cloud Services branch focuses on the development of\ncloud services internal to SIO.\n\nCustomer and Executive Information System\n\n        CEIS has become an integral part of ESOC operations and has assisted the division in\nserving its customers. The CEIS application is a custom-built, integrated system that is a central\ncollection point for all ESOC activities, including asset and configuration management, project\ntracking, and management reporting. CEIS also continues to play a critical role in helping SIO\nprovide status updates regarding its compliance with the Department\xe2\x80\x99s Federal Data Center\nConsolidation Initiative.\n\n        The CEIS application contains system owner information and technical details on the\nthousands of applications and systems that run in ESOC. The database also stores monitoring\ninformation from the various customer applications and uses this information to automatically\nidentify problems as they occur as well as potential problems that might occur.\n\n         Unlike the Department\xe2\x80\x99s Remedy help desk application, CEIS is proactive in that it uses\nthe monitoring information as a trigger to generate an automatic escalation process to alert ESOC\nstaff or the customer of a reportable condition, which is often tied to the customer\xe2\x80\x99s SLA and to\nESOC\xe2\x80\x99s escalation procedures. Typically, ESOC staff can alert a customer in less than 10\nminutes after an incident occurs. The CEIS workflow escalation process includes information to\nguide the ESOC technician through the steps to troubleshoot and resolve a problem.\n\nCloud Computing\n\n         The notion of cloud computing has been a topic of conversation in the IT field for several\nyears now, and though many might have difficulty defining it clearly, that uncertainty has not\nstopped budgets from bending to accommodate the technology\xe2\x80\x99s early adopters. The Department\nshares that uncertainty over what type of cloud environment to pursue, how much to invest, who\nis responsible, and which rules to follow. Although SIO has done much innovative work in the\nspirit of cloud computing, its implementation of cloud computing at this point does not meet the\nrequirements outlined in Federal guidance.\n\n                                          21\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n        Cloud computing is generally regarded as the delivery of computing capability as a\nservice rather than a product, much like the difference between purchasing power from a utility\ncompany over the power grid and buying a generator. Cloud computing is often distinguished\nfurther from the utility analogy by describing the software as a service model, wherein the\ncustomer has no knowledge of or control over the underlying technology infrastructure\nsupporting the service. NIST defines cloud computing as a model for enabling ubiquitous,\nconvenient, on-demand network access to a shared pool of computing resources that can be\nrapidly provisioned and released with minimal management effort or service provider\ninteraction.\n\n        Cloud computing has been a focal point in the Federal government for several years\nbecause of its vast potential for creating economies of scale across Federal agencies and for\nrealizing cost savings. It has been advanced by efforts such as the Cloud First Policy and, more\nrecently, by the Federal Chief Information Officer in a memorandum to agency chief information\nofficers in December 2011, directing them to use the Federal Risk and Authorization\nManagement Program to identify and select vetted cloud service providers. NIST has also\nprovided guidance on implementing Federal cloud computing requirements within NIST SP 800-\n45.\n\n        In the Department, cloud computing has featured prominently as a goal in the IT\nStrategic Plan and in the previous IRM Bureau Strategic and Resource Plan. IRM\xe2\x80\x99s Strategic\nPlanning Office is leading Department efforts to plan a cloud computing strategy. The main flash\npoint in that discussion revolves around the extent to which the Department commits to cloud\ncomputing\xe2\x80\x94whether it will consist of an internally built and maintained \xe2\x80\x9cprivate cloud,\xe2\x80\x9d or\nwhether the Department purchases computing services from an external provider in the \xe2\x80\x9cpublic\ncloud,\xe2\x80\x9d or some combination thereof. SIO would be responsible for implementing the\nDepartment-wide private cloud environment.\n\nSystems and Integration Office Implementation of Cloud Computing\n\n         In an effort to realize the benefits of cloud computing, SIO has pursued a private cloud\nenvironment for its customers, which is similar to many other Federal agencies and corporations.\nThe consolidation of the Department\xe2\x80\x99s individual data centers into enterprise-level data centers\nas part of the Federal Data Center Consolidation Initiative fulfills many of the overarching cloud\ncomputing goals laid out in the Cloud First Policy and the previous IRM Bureau Strategic and\nResource Plan. These goals include improved asset utilization, aggregated demand, and\nimproved network and application. However, as it stands today, SIO\xe2\x80\x99s implementation does not\nfulfill the characteristics of a cloud computing environment as defined by NIST, which has\ndeveloped a model that includes five essential characteristics of a cloud environment, four\nalternative deployment models, and three alternative service models.\n\n        The five essential characteristics that define a cloud environment are on-demand self-\nservice, broad network access, resource pooling, rapid elasticity, and measured services. ESOC\ndoes not fully satisfy any of these characteristics. Although ESOC customers can make limited\nchanges to their application and configuration, they cannot make changes automatically to their\nserver or network storage without ESOC assistance (on-demand self-service). The customer does\nnot yet have the capability of accessing ESOC systems from a variety of computing platforms,\n                                         22\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\nsuch as thin clients, tablets, or mobile phones (broad network access). The ability to pool\nresources and automatically reassign computing resources according to consumer demand does\nnot exist within ESOC (resource pooling). The capability of adding and releasing computing\nresources commensurate with demand without ESOC intervention does exist to some extent\n(rapid elasticity). Although ESOC has some capability to monitor and use a monitored value to\nalert a customer of a problem, the value cannot be used automatically to control and optimize\nresources (measured services).\n\n        The deployment model attribute refers to the cloud customer base. Because the ESOC\ninfrastructure is exclusively for the Department\xe2\x80\x99s domestic customers, the implementation of an\nESOC cloud would thus be considered private. The other attribute used in the NIST cloud\ndefinition is the service model. Because ESOC customers have some capability to modify their\ncomputing resources within the Department\xe2\x80\x99s security guidelines and ESOC\xe2\x80\x99s processes, the\ntype of service model used by ESOC is called \xe2\x80\x9cinfrastructure as a service.\xe2\x80\x9d\n\n        Even in the case of a private cloud, NIST\xe2\x80\x99s essential characteristics are still applicable\nand serve to define those traits that make pursuing a cloud environment worthwhile, even if only\nto a degree. The appropriate measure of applicability is discovered through strategic planning.\nWithin SIO, if the focus is to remain on the private cloud, this should be made clear in its\nmission statements and elaborated on more in the next Department IT Strategic Plan and the next\nbureau strategic planning request. Ultimately, the development and implementation of a\nDepartment-wide cloud architecture will require close coordination among IRM and other\nDepartment offices to ensure a vision that is consistent with Department-level strategic plans. Be\nthe cloud public or private, it would be advisable for senior IRM management to review the\nNIST model as given in NIST Special Publication 800-145 to ensure that the Department\xe2\x80\x99s cloud\ncomputing goals are consistent while ensuring appropriate security controls and compliance with\nFederal requirements.\n\nRecommendation 16: The Bureau of Information Resource Management should incorporate the\nessential characteristics of cloud computing as specified by the National Institute of Standards\nand Technology model into its cloud computing efforts to facilitate consistency among mission\nstatements and goals. (Action: IRM)\n\n\n\n\n                                         23\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\nCollaboration and Compensation Services Division\n        The CCS division successfully maintains systems that perform some of the more vital\nservices in the Department, despite the juxtaposition in one division of state-of-the-art\ncollaboration tools with some of the more outdated legacy technology still in use. CCS is\nresponsible for two enterprise-level programs\xe2\x80\x94SharePoint and CAPPS. The division\xe2\x80\x99s efforts\nwith SharePoint have brought new methods of information sharing to the Department and in\nsome cases revolutionized office workflow processes. This achievement has had some\nunintended consequences as offices have relied on SharePoint to an unexpected degree.\nMeanwhile, the payroll function has been reliably and consistently dispatched but faces an\nuncertain future in CCS as transition plans loom. Overall leadership at the division and branch\nlevels is strong, and staff members share a sense of camaraderie and enthusiasm for their work.\n\n        Division staff includes 71 individuals: 10 Civil Service employees, 2 Foreign Service\nemployees, and 59 contractors within two branches\xe2\x80\x94Enterprise Collaboration Services and\nCompensation Applications. The Enterprise Collaboration Services branch has a staff of 50 and\nis responsible for supporting SharePoint operations, whereas the Compensation Application\nbranch has a staff of 18 and supports CAPPS. CCS has had long-term difficulties in staffing the\nEnterprise Collaboration Services branch chief position. Although the position was filled in\nAugust 2011 after a lengthy vacancy, the incumbent has since been promoted within the SIO\norganization and the position is once again vacant. The CCS division chief has raised with SIO\nmanagement the importance of and need for filling the branch chief position.\n\nEnterprise Collaboration Services Branch\n\n        The Enterprise Collaboration Services branch provides custom development and\ntechnical support for SharePoint, as well as customer support at the Tier II and Tier III levels.\nSharePoint is a multipurpose Web application used for online collaboration, content\nmanagement, and workflow processing. The branch\xe2\x80\x99s main focus is managing and supporting\nSharePoint services. The division chief is well regarded among staff members for her leadership,\nfocus, and approachability. The equally engaged branch chief has set high standards of\nperformance in a professional manner to complete tasks and goals. Individual and group\nmeetings help to keep everyone informed and allow staff to express ideas. Staff members have a\nsense of camaraderie, and morale is good in spite of uncertainty about the potential effect of the\nVanguard contract.\n\nSharePoint Program\n\n         SharePoint began as a State Messaging and Archive Retrieval Toolset pilot initiative and\ntransitioned to SIO in 2008. SharePoint was designed as a knowledge management platform to\nfacilitate information sharing and collaboration among bureaus and offices. However, the use of\nSharePoint has grown significantly beyond its intended scope, as demonstrated by the increase in\nthe number of SharePoint sites from 208 in 2008 to more than 25,000 in 2012. To date, the\nDepartment has spent more than $15.6 million on SharePoint development and implementation.\nAccording to SIO management, the application has become a mission-critical tool, with many\n\n\n                                         24\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\nDepartment officials using SharePoint to conduct daily business as well as support key political\nand military events.\n\n        The SharePoint program is deployed on OpenNet, ClassNet, and SIPRNet, as well as on\nthe Internet to create public-facing Web sites. The consensus is that SharePoint was never\nintended to be a mission-critical application. The planned and implemented deployment of\nSharePoint has been based on its use as a collaboration tool. However, over time, bureaus have\nbecome increasingly more dependent on the application, to the point where many now automate\nworkflow processes\xe2\x80\x94their day-to-day tasks\xe2\x80\x94through SharePoint. Such extensive usage, where\nany downtime can affect a bureau\xe2\x80\x99s ability to fulfill its mission, means that SharePoint has\nessentially become mission critical to these entities. It is thus time to reevaluate risk assessments\nand other terms and conditions that were party to any SLAs entered into by SIO and its\ncustomers. Actions to remedy any shortcomings identified would follow, such as increased\nsecurity controls or resources, as well as a new understanding on the part of customers as to what\nlevel of availability and customer service they really need and what level of customer service\nsupport CCS can actually provide. Such a discussion might also inform any future plans for a\ncost model.\n\n        From an information security standpoint, a reevaluation would involve revisiting the\nFederal Information Processing Standard\xe2\x80\x99s 199 categorizations assigned to SharePoint. For\nFederal Information Security Management Act purposes, SharePoint is treated as a series of Web\nsites and therefore as a part of each general support system. In the case of OpenNet, SharePoint\ninherited the same moderate security categorization that was assigned to OpenNet\xe2\x80\x94resulting in\nenterprise SharePoint administrators and site collection managers being required only to\nimplement security controls for the application that are consistent with a moderate\ncategorization, despite the high reliance certain entities within the Department have on the\napplication to conduct their daily business. Further, the documentation submitted to the IT asset\nbaseline, the application that maintains the official Department inventory of systems for\nreporting to the Office of Management and Budget, is rather sparse. There is no mention of a\nparent-child reporting relationship between OpenNet as a general support system and SharePoint\nas merely Web sites hosted on that system.\n\nRecommendation 17: The Bureau of Information Resource Management should perform a risk\nmanagement assessment of SharePoint and determine the appropriate security categorization\nbased on its current scope and use. (Action: IRM)\n\n        Another important consideration is that the use of SharePoint is dynamic and that risk\nmanagement assessments can be valid only for a specific point in time. Customer behavior and\nusage of SharePoint will continue to evolve beyond the stage at which the risk assessment is\nperformed, as evidenced by the wide proliferation of site collections. To handle that growth and\nprovide better service according to multiple levels of mission criticality, SIO is already planning\nto create multiple server farms capable of meeting the different requirements as part of their\nSharePoint 2010 migration. However, customers could potentially still create sites and store\ncontent on those sites that is above the security categorization level at which the farm is\naccredited. Therefore, it will be important to ensure that site collection administrators and\nbusiness owners certify their understanding of the categorization level of each SharePoint farm\nand the specific limitations on content within the SharePoint environment.\n                                          25\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\nRecommendation 18: The Bureau of Information Resource Management should revise the\nservice level agreement process for SharePoint services to include a signed certification of\nunderstanding from both parties regarding the current security categorization of SharePoint and\nthe specific limitations on content within the SharePoint environment and implement a process\nfor periodic review of the agreement. (Action: IRM)\n\nCustomer Support\n\n        Customer support for SharePoint gets mixed reviews from customers, largely because\nthis function is shared between the Enterprise Collaboration Services branch and the IT Service\nCenter (ITSC)\xe2\x80\x94the single point of contact for all Department-wide IT support for consolidated\nbureaus. ITSC is responsible for issuing, logging, and tracking a ticket for each incident, as well\nas for posting notices about SharePoint outages. ITSC attempts to resolve the problem at the Tier\nI support level. If unsuccessful, ITSC transfers the issue to CCS, which handles Tiers II and III\ncustomer support levels. ITSC notifies customers of scheduled and unscheduled outages upon\nreceipt of a CCS-generated email with the outage notification information. CCS also follows up\nwith a phone call to ITSC about the email. ITSC allows a 90-minute window for sending emails\nwith notification alerts, which has lead to customer complaints about system outages due to the\nlack of a timely notification. The process is cumbersome and inefficient. Any delay in\ncommunicating an outage, especially an unscheduled one, affects customer operations and\nreflects poorly on IRM customer service.\n\nRecommendation 19: The Bureau of Information Resource Management should transfer the\nprimary responsibility for notifying customers on SharePoint outages from the Information\nTechnology Service Center to the Systems and Integration Office and revise the operational level\nagreement accordingly. (Action: IRM)\n\n        CCS has updated its internal standard operating procedures for ticket processing, system\noutages, and communication with ITSC. CCS has begun revising the 2009 operational level\nagreement between ITSC and CCS. The agreement describes the roles and responsibilities of all\nrelevant parties and explains the procedures for providing technical assistance on SharePoint-\nrelated issues. The proposed changes will define the scope of CCS services to help reduce the\nnumber of misrouted tickets and includes reference links to a customer support site to help ITSC\nrespond to common requests/incidents. CCS has not yet discussed the proposed changes and\nupdates to the operational level agreement with ITSC; as a result, both parties are working from\ndifferent procedures and processes.\n\nRecommendation 20: The Bureau of Information Resource Management should revise the\noperational level agreement for SharePoint to delineate the roles and responsibilities of and\nprocedures to be followed by the Systems and Integration Office and the Information\nTechnology Service Center. (Action: IRM)\n\n       SharePoint customers are frustrated by the team\xe2\x80\x99s inability to correct problems in a\ntimely manner. The OIG team was unable to determine the root cause of this issue because of the\nnumerous components and parties involved in the operational aspects of the SharePoint\nenvironment (e.g., ITSC, CCS, and connectivity and latency factors). However, the inspectors\nadvised CCS management to continue to perform customer outreach and make customer service\n                                          26\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\nits top priority. In March\xe2\x80\x93April 2011, the SharePoint team conducted a customer survey tailored\nto identify customer requirements for needed enhancements in SharePoint. However, the survey\ndid not contain any general customer service questions except for one on the SharePoint\ncustomer support site where CCS advertises its brown bag sessions and workshops. Lack of\nadequate customer feedback hampers SIO\xe2\x80\x99s ability to address issues of primary concern to end\nusers.\n\nRecommendation 21: The Bureau of Information Resource Management should conduct\nregular SharePoint customer service surveys to seek feedback on the timeliness of responses,\nrouting of tickets, resolution of issues, and functionality of the application. (Action: IRM)\n\n        Once ITSC closes a ticket, it issues surveys to its customers to request feedback. In the\npast, ITSC provided this information to bureaus and offices. The Enterprise Collaboration\nServices branch only recently began asking for this information because of the OIG inspection.\nThe branch received 109 responses on SharePoint usage from January 2011 to March 2012,\nduring which time the branch processed 2,982 tickets. CCS realizes the benefit of receiving this\ninformation and has begun analyzing and measuring it against SLAs. For example, the group is\nreviewing how long it takes for tickets to be transferred from ITSC\xe2\x80\x99s Tier I support level to CCS.\nThe OIG team encourages CCS\xe2\x80\x99s continued efforts to analyze performance and problem areas.\n\n        CCS has hosted more than 50 Enterprise SharePoint Configuration Control Board\nmeetings since August 2008. Five of those meetings were recently conducted virtually. During\nthe meetings CCS shares the status and impact of proposed configuration changes, reports on the\nstatus of past or future maintenance activities, and provides an opportunity for SharePoint users\nto raise issues and ask questions. As of January 2012, CCS had decided to hold virtual and in-\nperson meetings. The virtual meetings were intended to provide convenience to those overseas\ncustomers in different time zones but instead have proved to be a disadvantage, as they hinder\nback-and-forth communication with the SharePoint team. The SharePoint community is now\nengaged in discussions about whether to continue virtual meetings.\n\nSharePoint 2010 Migration\n\n        The Enterprise Collaboration Services branch has been working extensively on the\nmigration to SharePoint 2010. According to SIO management, SharePoint 2010 will provide\nusers with enhanced functionality, improved search capability and performance, and increased\nstorage capacity. The migration to SharePoint 2010 requires extensive planning and coordination\namong parties, as it involves moving all site collections from the SharePoint 2007 platform. The\nbranch originally planned to deploy the pilot in October 2011 but admits that this deadline was\ntoo optimistic. According to management, several factors have contributed to the missed\nmilestone for the pilot, including performance problems with SharePoint in fall 2011, the vacant\nbranch chief position, staff turnover in the lead contract project manager position, and increased\nworkload among engineering staff members in resolving Tier III support issues. The branch has\nnow reset the pilot deployment date to May 2012, with an estimated year to migrate all customer\ndata. To assist, staff is employing a Scrum team software development methodology to expedite\nthe prototyping of a pilot architecture. Further, when SIO filled the branch chief position, albeit\nbriefly, in August 2011, CCS was able to prioritize projects and refine processes.\n\n                                          27\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n        SIO management is in the early stages of determining whether and how to charge\ncustomers for SharePoint services. CCS is responsible for designing a cost model and completing\na formal analysis so that it can present an informed recommendation to senior management on\nthe various fee-for-service options. Currently, CCS charges a fee of $135 per hour for any site\ndesign work it conducts beyond the 8 hours of support it provides to customers. The proposal to\nbegin charging for additional SharePoint services and usage is a recent one, and senior IRM\nmanagement requested that CCS management determine a charge-back cost model for\nSharePoint support services.\n\nRecommendation 22: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Resource Management and the Bureau of Administration, should identify the\nappropriate funding mechanisms and payment structures, if any, for SharePoint usage and share\nthis information with SharePoint customers. (Action: IRM, in coordination with RM and A)\n\nCompensation Applications Branch\n\n        The Compensation Applications branch maintains the 30-year-old CAPPS mainframe,\nwhich generates payroll for all U.S. citizen Department employees. The branch has performed\nthis mission-critical function well but is in transition as the Department plans to sunset the\ncurrent CAPPS application and move the payroll function to the Bureau of Resource\nManagement. This change has widespread ramifications for SIO, which still has much to do to\nprepare for the transition.\n\n        The CAPPS system makes payments to approximately 29,500 Foreign Service and Civil\nService employees, family members, and personal services contractors. CAPPS excludes Foreign\nService national employees, who are paid by Foreign Service National Payroll Operations at\nGlobal Financial Services Charleston, which is responsible for managing and overseeing the\nDepartment\xe2\x80\x99s payroll operation and for directing the Compensation Applications branch by\nestablishing priorities and providing guidance on mandated projects, such as the Roth Thrift\nSavings Plan program, that the branch must implement. Global Financial Services Charleston\nalso certifies the accuracy of payroll, funds CCS operations, and reviews the American personnel\nand payroll history contained in the CAPPS Retirement Record System\xe2\x80\x94the repository of\ncurrent and historical master files used to calculate the basic retirement benefits payable to\nseparated employees.\n\n        Discussions about modernizing the payroll system have been ongoing since 2004 but\ngained added momentum when the Department decided not to join one of the Office of\nManagement and Budget\xe2\x80\x99s designated e-Payroll service providers. Instead, the Department is\nplanning to develop a replacement payroll system that the Bureau of Resource Management will\ndeploy by the end of 2013. The sunset of the CAPPS system will mean the abolishment of\nCompensation Application branch operations and uncertainty for its staff. The division chief has\nknown about these plans since November 2009 but has yet to develop a transition plan for branch\nstaff. A February 2012 visit by the Global Compensation Operations manager confirmed that the\ntransition to the new payroll system is on schedule for a December 2013 deployment. After the\ntransition, the Compensation Application branch staff will be responsible only for maintaining\nthe Department\xe2\x80\x99s domestic time and attendance system, WebTatel, until Global Financial\n\n                                         28\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\nServices Charleston deploys a new system for domestic payroll processing, tentatively planned\nfor 2014.\n\n         The CCS division chief has encouraged its seven team members to prepare themselves\nfor the transition by offering training and asking staff to consider other possible career directions.\nSome of these individuals have done little to prepare, and those with outdated technological\nskills may be challenged in today\xe2\x80\x99s sophisticated IT world. Individual development plans for the\nCompensation Applications branch staff are being updated. CCS division management has\ndelayed development of a transition plan because of uncertainty regarding how the Vanguard\ncontract will affect the payroll function. However, during the OIG inspection, management\ndecided that the payroll function will not be part of the Vanguard 2.3.x series and that the\ncontract will continue through its final option year. A transition plan will assist management and\nstaff to adjust to the change in responsibilities and the role of the branch as a whole. The\nDepartment\xe2\x80\x99s procurement experts can help SIO define the best course of action to continue\nproviding contractual support when the current contract expires in September 2012 and until the\nBureau of Resource Management takes control of the payroll function.\n\nRecommendation 23: The Bureau of Information Resource Management, in coordination with\nthe Bureaus of Resource Management, Administration, and Human Resources, should develop a\ntransition plan for the Compensation Applications branch that includes, at a minimum, an\nassessment of skills and training needs for individuals and a determination of the post-transition\nrole of the branch. (Action: IRM, in coordination with RM, A, and DGHR)\n\nRecommendation 24: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should determine what contractual arrangements are necessary to\nadminister the payroll function pending its transition to the Bureau of Resource Management\xe2\x80\x99s\nportfolio and implement them accordingly. (Action: IRM, in coordination with A)\n\n\n\n\n                                          29\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\nEnterprise Programming and Integration Division\n        The EPI division is focused on facilitating Department-wide accessibility to software\nsolutions by employing application integration and data management technology solutions and\nservices. EPI is the focal point for some of the Department\xe2\x80\x99s enterprise applications such as\neCountry Clearance, WebPass, and Concierge. The division chief received favorable marks from\nstaff, with many acknowledging the welcome structure and accountability she has brought to the\ndivision. Most of the EPI branch chiefs and project managers are new to the Department, so a\ntransition is still under way regarding the SDLC process. Management oversight of contract\nemployees and their work is an area of concern.\n\n        A total staff of 17 full-time employees and 74 contractors support EPI\xe2\x80\x99s four branches:\nData Management, Integrated Projects, Application Development, and the Program Management\noffice. The division chief and branch chiefs meet regularly to discuss project status and provide\nsuggestions to one another on internal processes.\n\nData Management Branch\n\n        The Data Management branch is working effectively as a team, receiving strong\nleadership from its branch chief. The team consists of 3 full-time employees and 17 contractors\nwho are responsible for treating data that are shared across bureaus within the Department as a\nglobal asset and for handling data governance matters. Two sections make up this branch\xe2\x80\x94\nEnterprise Data Warehouse and Data Management and Governance. Each section engages with\nits customers to define business and data standards.\n\n       The branch chief meets with staff on a regular basis and is considered to be approachable,\nwhich has helped the branch address difficult issues. For example, the branch was involved in\ndiscussions with one of its primary customers regarding the implementation of WebPass and\nConcierge. Lack of participation from senior IRM officials caused problems initially, which the\nbranch has since overcome with frequent communication between the branch chief and the\ncustomer.\n\nIntegrated Projects Branch\n\n        With a team of 3 full-time employees and 17 contractors, the Integrated Projects branch\nprovides support services for CEIS and handles all of the Tier II and Tier III customer support\nlevels for the Enterprise Service Bus, IT Asset Baseline, and Tips of the Day. The branch chief\njoined SIO 5 months ago and has been working on developing reporting and operational\nprocesses. The branch is utilizing the Project Tracking System and internal spreadsheets to\ndocument its work.\n\n       The branch chief is an advocate for adhering to the established chain of command within\nmanagement. As a result, all information is filtered through proper management channels from\ncontractors to government project managers to the final report to the branch chief. This process\nhelps keep government project managers informed of the work their respective teams are\n\n\n                                         30\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\nperforming. The branch chief also takes a proactive approach, as evidence by his enrollment of\nhimself and other full-time personnel in COR training to improve monitoring of contractor work.\n\n        The OIG team found that information was missing from records for those applications\nand systems under EPI\xe2\x80\x99s purview as an application owner, including in required fields such as\nthe profile, distribution, parent-child relationship, and Federal enterprise architecture mapping.\nThere were also apparent differences in how much information was reported for new\napplications and systems versus legacy assets. According to EPI management, stand-alone\napplications and systems that will reduce or eliminate the dependencies of other systems and\nsubsystems with parent-child relationships are under development. However, there was no\ndescription of what information to include for each application and system, nor an indication of\nwhether management had approved these decisions. During this inspection, EPI management\nprovided the missing information for its applications within the IT Asset Baseline.\n\nApplication Development Branch\n\n        The Application Development branch has 6 full-time employees and 26 contractors who\nare responsible for developing and supporting enterprise applications such as eCountry\nClearance, WebPass, and Concierge. The OIG team found the branch chief less than fully\nengaged in the work or personnel matters of the branch. Although the chief meets with staff\nweekly, the level of engaged conversation is limited. When the OIG team brought these matters\nto the branch chief\xe2\x80\x99s attention, his response was not supportive of needed change.\n\n        In addition, the branch chief has given more authority to contractors than to government\nfull-time employees. For example, contractors are engaging as points of contact for and holding\nmeetings with customers in lieu of government project managers. The OIG team was told\nrepeatedly of instances in which contractors were not sharing information appropriately with\ngovernment project managers and were assigning tasks to full-time employees only with the\nbranch chief\xe2\x80\x99s permission. Contractor management is discussed further in the Executive\nDirection section of this report.\n\n        The EPI division chief became unaware of these problems only during the OIG\ninspection. Once informed, the division chief began to make organizational changes to ensure\nproper oversight of contractor and supervisory authority, including designating one full-time\nemployee as the government lead for the application support help desk. The contractor lead will\nremain responsible for managing the contract staff with regard to applications support. The\nbranch chief is also establishing recurring status meetings with all government leads to monitor\nthe activity and productivity of full-time employee government staff on the application support\ndesk.\n\nProgram Management Office\n\n        The Program Management office has a team of 3 full-time employees and 14 contractors\nand is responsible for the oversight and development of the project management process flows\nand IT security and compliance within EPI. One of the team\xe2\x80\x99s primary areas of focus is the\nintegration of best practices and efficiencies within programs such as WebPass and Concierge.\nAmong the office\xe2\x80\x99s accomplishments is the establishment of EPI\xe2\x80\x99s well-documented SDLC,\n                                          31\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\nwhich outlines and describes approaches to a variety of tasks or activities that take place during\nthe software development process, from initiation to deployment. The responsibilities and role of\nEPI\xe2\x80\x99s Program Management office is similar to other program management and process\nimprovement positions within SIO. See the Executive Direction section of this report for more\ndetails on this matter.\n\n        The Program Management office comprises four teams. The Program Management team\nmeets with customers during the initiation phase of a project to gather requirements. The IT\nSecurity and Compliance team handles the information systems security officer and compliance\nfunctions, including certification and accreditation activities. The Release and Configuration\nManagement team validates change control and deployment readiness documentation. Finally,\nthe Architecture/System Administration team is responsible for developing the best solution to\nmeet customer needs and requirements. See the Program Management Functions section of this\nreport for further discussion of the Program Management office and a related recommendation.\n\n\n\n\n                                         32\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\nList of Recommendations\nRecommendation 1: The Bureau of Information Resource Management should establish a\ncentral repository for the management of Systems and Integration Office contracts so that all\nrelevant documentation for each contract, such as statements of work, amendments, and invoices,\nare in one central location. (Action: IRM)\n\nRecommendation 2: The Bureau of Information Resource Management should prepare a\nfunding document that details the authorized, spent, and remaining funds for each Systems and\nIntegration Office contract and implement procedures to verify and update this information\nregularly. (Action: IRM)\n\nRecommendation 3: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should assign the responsibilities of contracting officer\xe2\x80\x99s\nrepresentatives and government technical monitors for Systems and Integration Office contracts\nto individuals who have the technical expertise to evaluate the scope of work performed by the\ncontractors. (Action: IRM, in coordination with A)\n\nRecommendation 4: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should implement a policy requiring all assigned contracting\nofficer\xe2\x80\x99s representatives and government technical monitors for Systems and Integration Office\ncontracts to apply for Federal Acquisition Certification by completing the required training and\nsubmitting corresponding documentation to the Office of the Procurement Executive in\naccordance with Department of State guidelines. (Action: IRM, in coordination with A)\n\nRecommendation 5: The Bureau of Information Resource Management should clearly\ndocument the alternative systems development methodologies and criteria for use of each\nmethodology in Systems and Integration Office development activities. (Action: IRM)\n\nRecommendation 6: The Bureau of Information Resource Management should document\nwhich tool to use for centralized project tracking for Systems and Integration Office projects and\nenforce compliance among personnel. (Action: IRM)\n\nRecommendation 7: The Bureau of Information Resource Management should determine the\nrole and organizational placement of the Program Management office and function within the\nSystems and Integration Office and define terminology pertaining to program management\nactivities. (Action: IRM)\n\nRecommendation 8: (b) (5)\n\n\n\nRecommendation 9: (b) (5)\n\n\n\nRecommendation 10: The Bureau of Information Resource Management should revise and\nfinalize the property management standard operating procedures for the Systems and Integration\n                                              33\n                            SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\nOffice to provide clear definitions for and identification of division and individual\nresponsibilities. (Action: IRM)\n\nRecommendation 11: The Bureau of Information Resource Management should implement a\ntool for the Systems and Integration Office to track its inventory. (Action: IRM)\n\nRecommendation 12: The Bureau of Information Resource Management should develop a set\nof criteria and guidelines for the Systems and Integration Office\xe2\x80\x99s financial change control board\nto use in its review of and decisions on purchase and training requests. (Action: IRM)\n\nRecommendation 13: The Bureau of Information Resource Management should reassign the\nresponsibility for monitoring and tracking of and accounting for budget information in the\nSystems and Integration Office to a government full-time employee and make only limited\nbudget information accessible to contractor staff. (Action: IRM)\n\nRecommendation 14: The Bureau of Information Resource Management should reassign the\nresponsibility for the management and analysis of SharePoint waiver requests to the\nCollaboration and Compensation Services division within the Systems and Integration Office.\n(Action: IRM)\n\nRecommendation 15: The Bureau of Information Resource Management should reassign the\nresponsibility for Enterprise Service Operations Center service level agreements to the Enterprise\nService Operations Center division within the Systems and Integration Office. (Action: IRM)\n\nRecommendation 16: The Bureau of Information Resource Management should incorporate\nthe essential characteristics of cloud computing as specified by the National Institute of\nStandards and Technology model into its cloud computing efforts to facilitate consistency among\nmission statements and goals. (Action: IRM)\n\nRecommendation 17: The Bureau of Information Resource Management should perform a\nrisk management assessment of SharePoint and determine the appropriate security categorization\nbased on its current scope and use. (Action: IRM)\n\nRecommendation 18: The Bureau of Information Resource Management should revise the\nservice level agreement process for SharePoint services to include a signed certification of\nunderstanding from both parties regarding the current security categorization of SharePoint and\nthe specific limitations on content within the SharePoint environment and implement a process\nfor periodic review of the agreement. (Action: IRM)\n\nRecommendation 19: The Bureau of Information Resource Management should transfer the\nprimary responsibility for notifying customers on SharePoint outages from the Information\nTechnology Service Center to the Systems and Integration Office and revise the operational level\nagreement accordingly. (Action: IRM)\n\nRecommendation 20: The Bureau of Information Resource Management should revise the\noperational level agreement for SharePoint to delineate the roles and responsibilities of and\nprocedures to be followed by the Systems and Integration Office and the Information\nTechnology Service Center. (Action: IRM)\n\n                                          34\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\nRecommendation 21: The Bureau of Information Resource Management should conduct\nregular SharePoint customer service surveys to seek feedback on the timeliness of responses,\nrouting of tickets, resolution of issues, and functionality of the application. (Action: IRM)\n\nRecommendation 22: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Resource Management and the Bureau of Administration, should identify the\nappropriate funding mechanisms and payment structures, if any, for SharePoint usage and share\nthis information with SharePoint customers. (Action: IRM, in coordination with RM and A)\n\nRecommendation 23: The Bureau of Information Resource Management, in coordination with\nthe Bureaus of Resource Management, Administration, and Human Resources, should develop a\ntransition plan for the Compensation Applications branch that includes, at a minimum, an\nassessment of skills and training needs for individuals and a determination of the post-transition\nrole of the branch. (Action: IRM, in coordination with RM, A, and DGHR)\n\nRecommendation 24: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should determine what contractual arrangements are necessary to\nadminister the payroll function pending its transition to the Bureau of Resource Management\xe2\x80\x99s\nportfolio and implement them accordingly. (Action: IRM, in coordination with A)\n\n\n\n\n                                         35\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n\nList of Informal Recommendations\n        Informal recommendations cover operational matters not requiring action by\norganizations outside the inspected unit and/or the parent regional bureau. Informal\nrecommendations will not be subject to the OIG compliance process. However, any subsequent\nOIG inspection or on-site compliance review will assess the mission\xe2\x80\x99s progress in implementing\nthe informal recommendations.\n\nInformal Recommendation 1: The Bureau of Information Resource Management should\nconduct periodic reviews of the Systems and Integration Office\xe2\x80\x99s mission and goals to measure\nits progress in meeting the Department of State\xe2\x80\x99s information technology strategic goals and\nmake revisions as needed.\n\nInformal Recommendation 2: The Bureau of Information Resource Management should label\nall servers and network devices at domestic data centers according to Department of State\nguidelines.\n\nInformal Recommendation 3: The Bureau of Information Resource Management should\nmitigate the risk of water leakage from the pipes onto the server racks at Enterprise Service\nOperations Centers.\n\n\n\n\n                                          36\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n\n Principal Officials\n                                                                         Name      Arrival Date\n\nDirector                                                         Cynthia Cassil   Cynthia Cassil\nBusiness Engagement Center                                    Catherine Walker            03/08\nCollaboration and Compensation Services                          Penny Duncan             07/09\nEnterprise Programming and Integration                Michelle Sparrow-Walker             07/09\nEnterprise Server Operations Center, Operations and     C. Melonie Parker-Hill            06/07\n   Maintenance\nEnterprise Server Operations Center, Design and                Raymond Brow               11/06\n   Build\n\n\n\n\n                                          37\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                SENSITIVE BUT UNCLASSIFIED\n\n\nAbbreviations\nBEC             Business Engagement Center division\nCAPPS           Consolidated American Payroll Processing System\nCCS             Collaboration and Compensation Services division\nCEIS            Customer and Executive Information System\nCOR             Contracting officer\xe2\x80\x99s representative\nD&B             Design and Build division\nEPI             Enterprise Programming and Integration division\nESOC            Enterprise Server Operations Center\nGTM             Government technical monitor\nIRM             Bureau of Information Resource Management\nIT              Information technology\nITSC            Information Technology Service Center\nNIST            National Institute of Standards and Technology\nO&M             Operations and Maintenance division\nSDLC            Systems development lifecycle\nSIO             Systems and Integration Office\nSLA             Service level agreement\n\n\n\n\n                            38\n                SENSITIVE BUT UNCLASSIFIED\n\x0c   SENSITIVE BUT UNCLASSIFIED\n\n\n\n\nFRAUD, WASTE, ABUSE,\nOR MISMANAGEMENT\nof Federal programs hurts everyone.\n\n\n\n\n           Contact the\n   Office of Inspector General\n          HOTLINE\nto report illegal or wasteful activities:\n\n\n\n             202-647-3320\n             800-409-9926\n\n\n         oighotline@state.gov\n\n\n             oig.state.gov\n\n\n      Office of Inspector General\n       U.S. Department of State\n            P.O. Box 9778\n        Arlington, VA 22219\n\n\n\n\n   SENSITIVE BUT UNCLASSIFIED\n\x0c'